Lessons From the City Of Dallas Ransomware Attack ​

Lessons from the City of Dallas Ransomware Attack

Table of Contents


Two weeks ago, the city of Dallas was impacted by a ransomware attack by the suspected ransomware group Royal. This same group also targeted the Dallas Central Appraisal District website in November 2022. In March 2023 CISA released a cybersecurity advisory warning about Royal Ransomware. The alert notes that criminals have been using a new Royal ransomware variant to target U.S. and international organizations since around September 2022. 
The May 2023 ransomware attack on Dallas affected various Dallas websites and services. The fallout from this includes: 

  • delayed 311 service requests 
  • closed courts with all cases rescheduled 
  • Dallas Water Utilities inability to process payments 
  • delayed application, registration, and payment operations for various city services 
  • Police, EMS, and fire departments reverted to manual radio communication and dispatch
  • Police are reportedly unable to use their patrol car computers delaying checks on license plates and warrants.
The repercussions from this attack highlight the effects of ransomware attacks on city services and public safety. Understanding the Royal ransomware group’s typical attack methodology can help organizations better defend themselves from future ransomware attacks. 

Royal Ransomware Access

CISA’s alert provides specific guidance and background on Royal ransomware. These malicious actors typically gain access through 4 methods (as of November 2022): 

  1. Phishing: 66.7% of Royal actors gain access through phishing emails 
  2. Remote Desktop Protocol (RDP): 13.3% of Royal actors gain access through RDP 
  3. Public-facing applications 
  4. Brokers  

Key ransomware mitigation strategy involves directly addressing Royal actors common methods of gaining initial access:

Royal Ransomware Process

After Royal actors gain access to a system they disable antivirus software, exfiltrate large amounts of data and use a custom file encryption program on target systems to lock out users. Royal actors will use this exfiltrated data to prove their access and also to threaten future data leaks. This combination of data extortion and ransomware is called double extortion. Double extortion involves both threatening to release data and block services through their ransomware encryption.  

CISA also notes that Royal actors use these common directories to save files:

Royal Ransomware IOCs

CISA’s alert includes various Indicators of Compromise (IOC) by Royal actors.  
For a detailed list, check out CISA’s Royal Ransomware alert. Files with the .royal file extension are an example IOC. The alert also includes a list of malicious IP addresses, malicious domains, SHA256 file hashes of commonly used tools by Royal actors and hash values of commonly used batch (.bat) scripts. The alert  includes common MITRE attack framework techniques for Initial Access, Command and Control, Escalation, Defense Evasion and Impact.  

CISA’s 15 Royal Ransomware Mitigation Guidelines

CISA provides a detailed list of ransomware mitigation recommendations. Here are 15 CISA recommendations to prevent Royal ransomware attacks: 
  1. Implement a data recovery plan.  
  2. Require all accounts with password logins comply with NIST standards. Refer for the CISA Alert for 8 NIST example policies. 
  3. Require multi-factor authentication. 
  4. Keep all operating systems, software, and firmware up to date. 
  5. Segment networks. 
  6. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.  
  7. Install, regularly update, and enable real time detection for antivirus software on all hosts. 
  8. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts. 
  9. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege. 
  10. Disable unused ports. 
  11. Consider adding an email banner to emails received from outside your organization. 
  12. Implement time-based access for accounts set at the admin level and higher. 
  13. Disable command-line and scripting activities and permissions.  
  14. Maintain offline backups of data, and regularly maintain backup and restoration. 
  15. Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. 

Secured also provides various cybersecurity services, including vulnerability assessments and penetration testing, that can help proactively protect businesses from cyber attacks.